[I]ndividually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

(1) A first and last name.

(2) A home or other physical address, including street name and name of a city or town.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.[4]

any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.[7]

information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.[8]

”

To distinguish an individual is to identify an individual.[9] Some examples of information that could identify an individual include, but are not limited to, name, passport number, social security number, or biometric data.[10] In contrast, a list containing only credit scores without any additional information concerning the individuals to whom they relate does not provide sufficient information to distinguish a specific individual.[11]

To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual's activities or status.[12] For example, an audit log containing records of user actions could be used to trace an individual‘s activities.

In information security and privacy, "personally identifiable information" or "personally identifying information" (PII) is any piece of information which can be used to uniquely identify an individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual, or information that can be used to distinguish or trace the individual's identity. Generally included in this category are an individual's name or another personal identifier, social security number, biometric records, date and place of birth, and mother's maiden name.

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many websiteprivacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

“

A common misconception is that PII only includes data that can be used to directly identify or contact an individual (e.g., name, e-mail address), or personal data that is especially sensitive (e.g., Social Security number, bank account number). The OMB and NIST definition of PII is broader [see above]. The definition is also dynamic, and can depend on context. Data elements that may not identify an individual directly (e.g., age, height, birth date) may nonetheless constitute PII if those data elements can be combined, with or without additional data, to identify an individual. In other words, if the data are linked or can be linked ("linkable") to the specific individual, it is potentially PII.

Sometimes multiple pieces of information, none of which alone is considered PII, might still uniquely identify a person when combined. For example, what if a company employ only one 39-year old female with a residence in Roanoke, Virginia. In that case, the employer, age, gender, and city of residence are not PII elements by themselves, but become PII when they are presented together. This scenario is an example of PII established through indirect inference, while data elements such as a driver's license number constitute PII through direct inference.

Information that is not generally considered personally identifiable, because many people share the same trait, include:

First or last name alone, if common

Country, state, or city of residence

Age, especially if non-specific

Gender or race

Name of the school they attend or workplace

Grades, salary, or job position

Criminal record

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old black man who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none of which are PII, may uniquely identify a person when brought together; this is one reason that multiple pieces of evidence are usually presented at criminal trials. For example, there may be only one Inuit person named Steve in the town of Lincoln Park, Michigan.

On the other hand, many businesses see this increasing load of legislation as excessive, an unnecessary expense, and a barrier to progress. The increasing complexity of the laws might force companies to consult a lawyer just to engage in simple business practices such as serverlogging, user registration, and credit checks. Some have predicted such measures may inhibit the industry as a whole, lowering wages and creating a barrier to entry. For this reason, a number of privacy laws stress the "acceptable uses" of PII.

↑Information elements that are not sufficient to identify an individual when considered separately might nevertheless render the individual identifiable when combined with additional information. For instance, if the list of credit scores were to be supplemented with information, such as age, address, and gender, it is probable that this additional information would render the individuals identifiable.